Device for monitoring a processor

ABSTRACT

A device for monitoring a processor is described. A watchdog simultaneously monitors the system clock, the software base functions and performs a check of the tests of the system components of the processor. If an error is detected, the watchdog communicates this to the processor, an error counter is incremented and at least one device that is connected to the processor is blocked. If the error counter attains a predetermined value, the block is continued until the device of the present invention is deactivated. If an additional error is detected during a blocking time, the blocking time is extended.

BACKGROUND INFORMATION

[0001] The present invention is directed to a device for monitoring a processor according to the definition of the species of the independent claim.

[0002] It is already known to provide a watchdog for a microcontroller system, which is triggered at specific time intervals and even awaits this triggering in defined time windows. This is known as a window watchdog. If the watchdog is triggered outside the window, the microcontroller system is reset.

ADVANTAGES OF THE INVENTION

[0003] In contrast, the device of the present invention for monitoring a processor having the features of the independent claim has the advantage that the tasks of the watchdog may be performed separately and independently of each other but concurrently. In this way, not only dominant errors are detected but also all errors occurring while the particular tasks are being performed. These tasks include monitoring the system clock, monitoring the correct sequence of system-relevant software base functions and monitoring built-in self-tests of system components such as, for example, memory modules or other components within the processor.

[0004] Furthermore, a reset function is advantageously eliminated; instead, when errors are detected, an error message is sent to the processor, i.e., the microcontroller, and an error counter is incremented if necessary. It is thus possible for the processor to communicate with the watchdog at any time but also with the environment of the control unit in which the processor is located.

[0005] The measures and enhancements cited in the dependent claims make advantageous improvements of the device for monitoring a processor specified in the independent claim possible.

[0006] It is advantageous in particular that the watchdog performs a software check by sending test queries to the processor, the watchdog then checking corresponding replies from the processor for correctness and whether these replies were received at the correct point in time. In this way, the relevant software base functions of the processor are checked for correct function.

[0007] Furthermore, it is an advantage that the check of system components is initialized by tests assigned to the processor by the watchdog, the watchdog then checking corresponding assignment acknowledgments for correctness and the corresponding point in time at which the assignment acknowledgment was received.

[0008] It is an advantage that when an error is detected, the watchdog directly blocks the device connected to the processor, preferably an output stage for triggering an airbag, for a specified period of time. If additional errors are detected within this blocking time, the block is prolonged accordingly. If an error results in a block, an error counter is incremented. If the error counter is equal to a predetermined value, the block is performed until the watchdog is deactivated. In a motor vehicle, this is the time span until the driving cycle is completed, i.e., the vehicle is turned off.

[0009] It is a further advantage that when the device of the present invention is activated, a block is first present on the device connected to the processor and this block is only canceled if the system clock, the software of the processor and the system components are free of errors. This makes it possible for the device connected to the processor to be activated only with a correctly functioning processor.

[0010] It is an advantage that the processor is able to read out the current error counter reading and the individual errors from the watchdog. This makes an exact analysis of the errors possible. It is also possible to use it to generate a prediction, instructions for correction or even a warning.

[0011] Finally, it is also an advantage that the point in time of receipt of the assignment acknowledgment or the reply of the processor is determined by an internal counter of the watchdog and that an error is detected if the point in time is exceeded or not met.

DRAWING

[0012] Exemplary embodiments of the invention are depicted in the drawing and explained in greater detail in the following description. FIG. 1 shows a block diagram of the device according to the present invention;

[0013]FIG. 2 shows a flow chart of a method of the device according to the present invention and

[0014]FIG. 3 shows a block diagram of the watchdog which shows the particular function blocks for the individual checks.

DESCRIPTION

[0015] Present-day watchdogs must perform various tasks for monitoring a processor. Frequently, a microcontroller is used as a processor in safety-critical systems. However, other processor types may be used also. Safety-critical systems are, for example, restraint systems in a motor vehicle. In this case, it is necessary to check a controlling processor in order to prevent an erroneous triggering of an airbag, which may result in injuries. The processor is located together with the watchdog in a control unit for the restraint system.

[0016] According to the present invention, therefore, a device is used which has separate hardware in a watchdog for each of the different tasks, so that the tasks are processed concurrently. Furthermore, the device of the present invention has the advantage that when an error is present, it is possible to communicate with the environment, with external diagnostic software, for example, thus no reset is performed. In this case, the watchdog performs the following tasks simultaneously and independently of each other: the monitoring of the processor's system clock, the software check in the processor and the monitoring of the tests of system components of the processor, for example, memory modules (RAM). A separate block of hardware is present for each of these three tasks, it being possible as an alternative for this to run on one processor, which assigns corresponding computing time to the particular tasks. The watchdog sends a query or task to the processor. The query is manipulated using small watchdog functions that run in the software base functions of the processor. The tasks trigger test routines in the background. These tests then check, for example, RAM, ROM and/or other system components.

[0017] If an error is detected, the watchdog initiates a block of a device connected to the processor. This prevents a malfunction of the processor resulting in the triggering of a device, a restraint system, for example.

[0018] A block diagram of the device of the present invention for monitoring a processor is shown in FIG. 1. A watchdog 4 has the components window watchdog 5, clock pulse generator 6 and counter 7. Window watchdog 5 has logic circuits. A processor 1 is connected to a memory 2 via a first data input/output, it also being possible for memory 2 to be integrated in processor 1. Processor 1 is connected to a restraint system 3 via a second data input/output. The connection may also be implemented using a bus. Processor 1 is connected to window watchdog 5 via a third data input/output. One data output of processor 1 leads to a first data input of window watchdog 5. If necessary, pulse dividers are present within window watchdog 5, which divide the clock pulse appropriately. Clock pulse generator 6 is connected to a second data input of window watchdog 5. Clock pulse generator 6 is independent of the clock pulse used by processor 1. Window watchdog 5 is connected to counter 7 via a second data input/output. Clock pulse generator 6 and counter 7 may each be a component of window watchdog 5. Instead of the one counter 7, one counter may be provided for the monitoring of the software base functions and one counter for the monitoring of the tests of the system components. Furthermore, window watchdog 5 is connected directly to restraint system 3 via a data output in order to block restraint system 3 when an error is detected.

[0019] In this case, processor 1 controls restraint system 3. For that purpose, processor 1 is, if necessary, connected to sensors in order to detect a triggering event for restraint system 3 and to classify, if necessary, persons to be protected in the vehicle. The function of processor 1 is checked by window watchdog 5. This function check is broken down into three tasks. First, the system clock of processor 1 is checked to determine if this system clock deviates from a predetermined value. For that purpose, processor 1 transfers its system clock to window watchdog 5.

[0020] Window watchdog 5 counts this clock pulse and compares it with a reference clock pulse, which is generated using clock pulse generator 6. If the deviation between the system clock of processor 1 and the clock pulse of clock pulse generator 6 exceeds a specific threshold value, an error is detected. This error is then communicated to processor 1; an error counter is incremented and via direct lines window watchdog 5 causes restraint system 3 to be blocked for a specific period of time. If an additional error is detected within this specified period of time, the block is then extended for a corresponding period of time.

[0021] Window watchdog 5 continues to check the operational capability of software functions of processor 1. These software base functions are necessary for the basic functionality of processor 1.

[0022] The actual task of a control unit for restraint systems 3 is to detect a crash. To that end, the following functions are processed every 500 μs, for example, as the software base functions:

[0023] Input of the sensor signals

[0024] Signal processing

[0025] Calculation of the algorithm to control the restraint system

[0026] In the event of a crash: Determination of assigned firing devices

[0027] Triggering of these firing devices

[0028] All of these functions must be processed, it being necessary in particular to maintain this sequence. For example, it is not possible to calculate the algorithm without having input sensor signals.

[0029] Window watchdog 5 performs this check via its first data input/output. For that purpose, window watchdog 5 sends test queries to processor 1, which processor 1 answers according to the software base functions present. Processor 1 then transfers these replies to window watchdog 5, which compares the replies with predetermined replies and also determines the particular point in time at which it received the particular replies. Window watchdog 5 determines these points in time using counter 7. If the reply or the point in time deviates from predetermined values, then window watchdog 5 detects an error and performs the corresponding error handling as described (blocking of restraint system 3). The query of watchdog 5 is changed in processor 1 with the aid of simple watchdog functions, primarily shift operations and masking operations. After all the watchdog functions that are distributed in the system-relevant software base functions have been processed, the value thus obtained is returned to the watchdog as a reply. During the check by window watchdog 5, it is made certain that the sequence of the watchdog functions and the processing of all watchdog functions has been followed. Counter 7 is designed in such a way that an error is detected if the reply arrives too early or too late.

[0030] Furthermore, window watchdog 5 performs a monitoring of the tests of the system components of the processor via its data input/output. To that end, watchdog 5 sends test assignments to processor 1, which processes them and returns corresponding assignment acknowledgments to window watchdog 5. Using the assignment acknowledgment, window watchdog 5 in turn monitors whether the tests of the system components were correct and received at the correct point in time. If the assignment acknowledgments are not correct or the assignment acknowledgment arrived too early or too late, an error is then detected. A test of a system component is initiated using the test assignment. The test itself then results in the assignment acknowledgment. In doing so, it is ensured that the assignment acknowledgments only correspond to the expected assignment acknowledgment if the test of the system component was processed without error.

[0031] The check of the software base functions using the watchdog functions is processed in processor 1 at a higher priority than the check of the system components. In doing so, only the remaining time is assigned to the check of the system components in a specified time period. For each of the three tasks of system clock check, software check and system components check, window watchdog 5, as shown in FIG. 3, has separate hardware components of logic circuits so that there is a genuine parallelism of the processing on the part of the window watchdog.

[0032] Block 23 is responsible for the check of the clock pulse, block 24 for the check of the software base functions and block 25 for the check of the system components. The system clock is connected to the first input of clock pulse check 23. Clock pulse check 23 then checks it for deviation from the predetermined internal reference clock pulse, clock pulse generator 6 being connected to the second input of function block 23. If there is an error, a signal is generated at the output of function block 23, the signal being linked to the outputs of function blocks 24 and 25 using an OR gate 26 so that when at least one error is detected, an error is displayed at output 27 of OR gate 26. In addition, function block 24 is connected to the data input/output of processor 1 via its data input/output in such a way that a check of the software base functions is possible. On the other hand, function block 25 is connected to processor 1 via its data input/output in such a way that a test of the system components is possible.

[0033] Since processor 1 is able to communicate with window watchdog 5 at all times, even during a block, it is also possible that processor 1 is able to read out the error counter reading and the individual errors for further processing.

[0034] A flow chart is shown in FIG. 2 which depicts the operating sequence of the device according to the present invention.

[0035] In step 8, the device of the present invention is activated and a block of restraint system 1 by window watchdog 5 is initiated first. In steps 9 a, 9 b and 9 c, the system clock, the software base functions and the system components are then monitored concurrently and independently of each other.

[0036] In step 10, it is checked whether or not at least one error is displayed at OR gate 26. If this is the case, then a return is made to steps 9 a, 9 b and 9 c to check whether or not the system clock, the software and the system components are in order for a minimum period of time. All parts 23, 24 and 25 of window watchdog 5 must be correctly operated for one second, for example, to unblock the restraint system. Only then is freedom from errors detected and it is then possible to move from step 10 to step 11 to cancel the block of restraint system 3.

[0037] In steps 12 a, 12 b and 12C, tests of the system clock, the software base functions and the system components of processor 1 are repeated. In step 13, it is checked again whether or not an error is displayed at the output of OR gate 26. If this is not the case, then a return is made to steps 12 a, 12 b and 12 c in order to repeat the tests. If, however, an error was detected, this error is then communicated to processor 1 by window watchdog 5 in step 14, an error counter is incremented and restraint system 3 is blocked. In step 15, it is also checked if the error has in the meantime reached a predetermined value, which would result in a continuous block of restraint system 3 until the device of the present invention is deactivated. Therefore, the block is maintained in step 16 until deactivation.

[0038] In step 17, however, if the error counter was still not reached, the block is discontinued for a specified period of time. In steps 18 a, 18 b and 18 c, the system clock, the software base functions and the system components are rechecked in order then to determine in step 20 if an error was detected within the block of restraint system 3, so that if this is the case, the block must be extended accordingly in step 21. If this is not the case, then the block is canceled in step 22 after the end of the time period in order then to return to step 14. 

What is claimed is:
 1. A device for monitoring a processor (1), it being possible to connect the processor (1) to a watchdog (5) for monitoring, it being possible to connect the watchdog (5) to an internal clock pulse generator (6) for monitoring a system clock of the processor (1), wherein the watchdog (5) has means for checking the software of the processor (1) and means for monitoring tests of system components (2) of the processor (1); and the watchdog (5) transmits an error message to the processor (1) in the event that at least one error is detected and increments an error counter.
 2. The device as recited in claim 1, wherein the watchdog (5) transmits test queries to the processor (1) during the software check and monitors replies from the processor (1) for correctness and point in time.
 3. The device as recited in claim 1 or 2, wherein, when the tests of the system components (2) are monitored, the watchdog (5) transfers test assignments to the processor (1) and the processor (1) returns the [test assignments] to the watchdog (5) corresponding to the assignment acknowledgment, which the watchdog (5) monitors for correctness and point in time.
 4. The device as recited in one of the preceding claims, wherein, in the case of the at least one detected error, the watchdog (5) blocks the function of a device (3) connected to the processor (1) for a specified period of time, the watchdog (5) being directly connectable to the device (3).
 5. The device as recited in claim 4, wherein the watchdog (5) extends the block of the device (3) if the watchdog (5) detects at least one additional error during the block.
 6. The device as recited in one of the preceding claims, wherein, when the error counter has reached a predetermined value, the watchdog (5) initiates a block of the device (3) until the watchdog (5) is deactivated.
 7. The device as recited in one of the preceding claims, wherein the device (3) connectable to the processor (1) is a restraint system.
 8. The device as recited in one of the preceding claims, wherein, when activated, the watchdog (5) initiates a block of the device (3) until the watchdog (5) detects freedom from errors in the system clock, the software of the processor (1) and the system components.
 9. The device as recited in one of the preceding claims, wherein the processor (1) is able to read out the error counter and individual errors from the watchdog (5).
 10. The device as recited in one of claims 2 through 9, wherein the watchdog (5) determines the points in time of the replies of the processor (1) and the assignment acknowledgments using at least one internal counter (7). 